Explicitely only accept closures from our dependencies in ClosureJob

Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
4 years ago · d8c419c304
parent 3e94faef06
commit d8c419c304
1 changed files with 4 additions and 1 deletions
--- a/lib/private/Command/ClosureJob.php
+++ b/lib/private/Command/ClosureJob.php
@ -23,10 +23,13 @@
 namespace OC\Command;

 use OC\BackgroundJob\QueuedJob;
+use Laravel\SerializableClosure\SerializableClosure as LaravelClosure;
+use Opis\Closure\SerializableClosure as OpisClosure;

 class ClosureJob extends QueuedJob {
 	protected function run($serializedCallable) {
-		$callable = unserialize($serializedCallable)->getClosure();
+		$callable = unserialize($serializedCallable, [LaravelClosure::class, OpisClosure::class]);
+		$callable = $callable->getClosure();
 		if (is_callable($callable)) {
 			$callable();
 		} else {